How to allocate budget for a well-rounded cybersecurity portfolio

Getting the C-levels to approve an IT security budget is probably one of the most difficult and exasperating tasks that security professionals and IT managers have to do each year. Information security doesn’t contribute directly to the bottom line in most companies and management often views it as a cost. That’s why it’s essential for infosec professionals and IT managers to allocate the budget they do get as effectively as possible. What should a well-rounded cybersecurity portfolio look like?

Industry estimates suggest that enterprises spend up to 75 percent of their security budget on prevention technologies alone, leaving only a quarter left over for other categories. Sure, prevention is important—we’d all love to stop cyber-attacks before they happen—but it can’t stop everything.

Motivated attackers will continue to find novel ways to get past preventative controls, so IT and security need to balance their infosec budget between multiple categories of security, including solutions that find malware that’s already infected your network. With that in mind, let’s look at what might make a more well-rounded security portfolio.

There are many different areas of security that you could spend budget on, (you can find a decent list of operational security areas in this SANS paper on IT Security Spending Trends), but for simplicity’s sake, let concentrate on three buckets:

1. Prevention – These are products or services designed to detect and block a cyber threat before it succeeds. Firewalls, antivirus, intrusion prevention systems (IPS), advanced malware protection solutions, cloud-based email filtering solutions and more are all considered prevention technology.

2. Detection and response – These solutions help identify and clean up a threat after it has infected a network. In other words, when an attack or malware makes it past preventative defenses, these products help IT learn about the threat and remediate it. Some examples include endpoint detection and response (EDR) products, security information and event management (SIEM) solutions, and other incident handling tools.

3. Business continuity and disaster recovery (BC/DR) – This bucket includes services and technologies that help recover IT systems and data needed to continue a business after a catastrophe, such as a cyber attack. Backup products or services, virtual and cloud-based hosting solutions, and even cyber insurance qualify as BC/DR spend.

As mentioned earlier, industry analysts estimate that companies spend 75 percent of their budget on prevention, which leaves a meager 25 percent split between BC/DR and detection and response combined. I believe this is far too little. A better ratio is 50 percent prevention, 30 percent detection and response, and 20 percent for BC/DR.

Why this mix? Prevention is important, but it will never be perfect. The latest sophisticated threats like polymorphic ransomware and fileless malware have proven that the defenders can’t block everything. For instance, the latest malware repacks itself regularly, often easily evading signature-based protections.

While more proactive, behaviorally-based malware solutions can help, even they aren’t perfect. I do recommend continuing to invest in prevention tools, especially advanced malware protection solutions that leverage machine learning and/or behavioral analysis proactively to catch new threats. But I advocate for only spending half of your budget on this area.

Next, I recommend allocating 30 percent of an infosec budget to detection and response to cut down on the time needed to detect malware after it’s infiltrated a network. Once an attack gets past the crunchy exterior of an organization’s protections, they often don’t have the tools needed to detect that threat.

According to the latest Cost of a Data Breach study from Ponemon Research and IBM, it takes over 190 days on average to identify attacks that have infected a network. This is far, far too long. It takes minutes and hours—not days—to steal terabytes of data. The amount of damage a focused attacker could do in 190 days is mind-boggling. Organizations need to bring this average detection time (also known as dwell time) down, preferably to minutes. That’s why I believe experts should refocus a significant chunk of their security budgets towards detection and response tools.

Today, endpoint detection and response (EDR) solutions are becoming more popular. These solutions run on endpoints and use many different methods to root out malware that’s already installed on a device. The best EDR solutions can also automatically clean up or remediate any threats it finds. If you are a small to medium business, you should also consider detection and response tools that correlate both endpoint and network indicators to find more sneaky and sophisticated infections.

Finally, I recommend investing at least 20 percent of a security budget in tools and services to help quickly recover your business-critical IT facilities in case of an emergency. This will help reduce the recovery time from a security incident and minimize the lost revenue during that time. If a cyber threat like ransomware or a DDoS attack takes out one of an organization’s critical IT resources, they will bleed money until that resource is restored. While a lot of BC/DR is about process, there are a number of products and services including backup, hosting services and virtualization that help.

Here are some specific BC/DR best practices. While most organizations at least backup their data, surprisingly few have a procedural disaster recovery plan. Without a plan, businesses will waste time (and thus money) scrambling to respond to a cyber attack. Also, many businesses with backups haven’t considered how long it takes to recover those backups. If it takes two days to recover backups after a ransomware attack, the attack will still cost the victim a significant amount of money. I’d recommend looking into hybrid cloud backups, which can speed time to recovery. Cyber insurance also makes a good DC/BR investment as it covers many of the costs incurred from security incidents.

To be clear, this is a simplified view of a balanced security budget. There are many other potentially important areas of infosec spend, such as end-user awareness and training, compliance and auditing, and risk reduction. However, the major problem I see today is prevention getting far too much of overall security budgets while it takes months for businesses to find breaches (let alone clean them up), and they don’t have a plan in place to recover from them.

If security professionals and IT managers drop their prevention budget to 50 percent, they can spend 30 percent more on tools that find attacks that got past their defenses and 20 percent more on recovering their business systems quickly. These improvements alone could make it significantly easier to get additional budget out of your executives next year.